On Monday, the Financial Times published a story concerning a proposed bill form Representative Tom Graves, a Republican from Georgia's 14th district.

The Seven Assumptions of Hacking Back

Private companies can attribute: "Very few, if any, private entities can as of today with high granularity determine who attacked them..."

The ability to engage a state sponsored organization: "[It] is assumed that the counterstriking corporation can handle a heavily funded aggressive statesponsored organization."

There will be no uncontrolled escalation:"If counter cyberattacks are legalized, logically it carries an assumption that there will be no uncontrolled escalation that affects a 3rd party."

The duplicated intellectual property is at one location:"This assumption also ignores the likelihood that the initial attacker uses backups to store their data so the initial attacker can retrieve the stolen information if lost."

Note: This list contains four of the seven assumptions outlined in a paper by Jan Kallberg, at University of Texas at Dallas: A Right to Cybercounter Strikes: The Risks of Legalizing Hack Backs.

Graves has proposed changing the Computer Fraud and Abuse Act (CFAA) to allow organizations to fight back when being attacked online. But is this a smart, or even workable solution for enterprise operations?

Graves' proposal, the Active Cyber Defense Certainty Act (ACDC) was introduced in March of this year. The two-page draft has left some legal and security experts Thunderstruck, because 'hacking back' is a slippery slope that has more cons than pros.

According to Graves, the bill will alter the CFAA in order to allow the use of "limited defensive measures that exceed the boundaries of one's network in an attempt to identify and stop attackers."

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault. While the bill doesn’t solve every problem, it's an important first step," Graves said.

Salted Hash consulted legal experts and security managers for their take on the topic. On the legal side, experts said the draft (as it stands) is vague and lacks teeth. For example, a victim is defined as an "entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer."

So, what counts as persistent? Does the usage of the word intrusion exclude DDoS attacks and Phishing as offenses that an entity can respond to?

The security experts Salted Hash consulted were against 'hack back' scenarios in any shape or form. Not only because they lack the resources to mount such an effort, but because the legal risks are not worth the effort.

So why is all of this back in the news?

After the person(s) responsible for WannaCry did their dirty deed earlier this month, (dirt cheap too, as the Bitcoin wallets used for ransom payments are still sitting untouched), Graves said his bill, if it were passed already, would've "had a positive impact potentially preventing the spread to individuals throughout the U.S."

“Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyberattack," Graves added.

That isn't exactly true. The spread of WannaCry was slowed because a researcher located the kill switch and activated it. Even then, a 'hack back' law would not have addressed the reason the Ransomware was able to spread in the first place, and worse, such a law could've had damning consequences, as many of the attacking systems were victim's themselves.

Would Graves' proposal address missing patches, and policy issues that leave an entity exposed to attack? As the draft stands now, it doesn't, and that's a big deal. Victim blaming doesn't really help, but at the same time, ignoring the basics (e.g. patches, compensating controls) isn't helping either.

The draft released in March is being rewritten to include some additional safeguards, including law enforcement notification if they choose to 'hack back'.